packages/rubygem-sinatra
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2022-45442

Browse Source 
(cherry picked from commit fc40141e4630fd3ac9cebd14c56ca63883702554)
This commit is contained in:
starlet-dx 2024-11-18 10:56:52 +08:00 committed by openeuler-sync-bot
parent ffa8568ccf
commit 8070424a1c
3 changed files with 102 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
backport-CVE-2022-45442-test.patch Normal file
View File

@ -0,0 +1,40 @@
From 1808bcdf3424eab0c659ef2d0e85579aab977a1a Mon Sep 17 00:00:00 2001
From: namusyaka <namusyaka@gmail.com>
Date: Wed, 23 Nov 2022 22:24:02 +0900
Subject: [PATCH] escape filename in the Content-Disposition header
According the multipart form data spec in WHATWG living standard.
Ref: https://html.spec.whatwg.org/#multipart-form-data
Origin:
https://github.com/sinatra/sinatra/commit/1808bcdf3424eab0c659ef2d0e85579aab977a1a
---
test/helpers_test.rb | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/test/helpers_test.rb b/test/helpers_test.rb
index 463a21d..7201aab 100644
--- a/test/helpers_test.rb
+++ b/test/helpers_test.rb
@@ -781,6 +781,18 @@ class HelpersTest < Minitest::Test
assert_equal '<sinatra></sinatra>', body
end
+ it 'escapes filename in the Content-Disposition header according to the multipart form data spec in WHATWG living standard' do
+ mock_app do
+ get('/attachment') do
+ attachment "test.xml\";\r\next=.txt"
+ response.write("<sinatra></sinatra>")
+ end
+ end
+
+ get '/attachment'
+ assert_equal 'attachment; filename="test.xml%22;%0D%0Aext=.txt"', response['Content-Disposition']
+ assert_equal '<sinatra></sinatra>', body
+ end
end
describe 'send_file' do
--
2.47.0

51
backport-CVE-2022-45442.patch Normal file
View File

@ -0,0 +1,51 @@
From 1808bcdf3424eab0c659ef2d0e85579aab977a1a Mon Sep 17 00:00:00 2001
From: namusyaka <namusyaka@gmail.com>
Date: Wed, 23 Nov 2022 22:24:02 +0900
Subject: [PATCH] escape filename in the Content-Disposition header
According the multipart form data spec in WHATWG living standard.
Ref: https://html.spec.whatwg.org/#multipart-form-data
Origin:
https://github.com/sinatra/sinatra/commit/1808bcdf3424eab0c659ef2d0e85579aab977a1a
---
lib/sinatra/base.rb | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb
index f5d7729..b20a1f7 100644
--- a/lib/sinatra/base.rb
+++ b/lib/sinatra/base.rb
@@ -357,16 +357,23 @@ module Sinatra
response['Content-Type'] = mime_type
end
+ # https://html.spec.whatwg.org/#multipart-form-data
+ MULTIPART_FORM_DATA_REPLACEMENT_TABLE = {
+ '"' => '%22',
+ "\r" => '%0D',
+ "\n" => '%0A'
+ }.freeze
+
# Set the Content-Disposition to "attachment" with the specified filename,
# instructing the user agents to prompt to save.
def attachment(filename = nil, disposition = :attachment)
response['Content-Disposition'] = disposition.to_s.dup
- if filename
- params = '; filename="%s"' % File.basename(filename)
- response['Content-Disposition'] << params
- ext = File.extname(filename)
- content_type(ext) unless response['Content-Type'] or ext.empty?
- end
+ return unless filename
+
+ params = format('; filename="%s"', File.basename(filename).gsub(/["\r\n]/, MULTIPART_FORM_DATA_REPLACEMENT_TABLE))
+ response['Content-Disposition'] << params
+ ext = File.extname(filename)
+ content_type(ext) unless response['Content-Type'] || ext.empty?
end
# Use the contents of the file at +path+ as the response body.
--
2.47.0

12
rubygem-sinatra.spec
View File

@ -3,7 +3,7 @@
Summary: Ruby-based web application framework Summary: Ruby-based web application framework
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Version: 2.0.8.1 Version: 2.0.8.1
Release: 3 Release: 4
License: MIT License: MIT
URL: http://www.sinatrarb.com/ URL: http://www.sinatrarb.com/
Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
@ -16,6 +16,11 @@ Patch0: rubygem-sinatra-2.0.8.1-Fix-failing-tests.patch
Patch1: Internal-Sinatra-errors-now-extend-Sinatra-Error-test.patch Patch1: Internal-Sinatra-errors-now-extend-Sinatra-Error-test.patch
Patch2: Internal-Sinatra-errors-now-extend-Sinatra-Error.patch Patch2: Internal-Sinatra-errors-now-extend-Sinatra-Error.patch
Patch3: Fix-broken-spec.patch Patch3: Fix-broken-spec.patch
# Security fix
Patch3000: backport-CVE-2022-45442.patch
Patch3001: backport-CVE-2022-45442-test.patch
BuildRequires: rubygems-devel ruby(release) ruby >= 2.2.0 BuildRequires: rubygems-devel ruby(release) ruby >= 2.2.0
%if ! 0%{?bootstrap} %if ! 0%{?bootstrap}
BuildRequires: rubygem(rack) >= 2.0 rubygem(rack-protection) = %{version} rubygem(tilt) BuildRequires: rubygem(rack) >= 2.0 rubygem(rack-protection) = %{version} rubygem(tilt)
@ -42,9 +47,11 @@ pushd %{_builddir}
%patch0 -p1 %patch0 -p1
%patch1 -p1 %patch1 -p1
%patch3 -p1 %patch3 -p1
%patch3001 -p1
popd popd
%patch2 -p1 %patch2 -p1
%patch3000 -p1
%build %build
gem build ../%{gem_name}-%{version}.gemspec gem build ../%{gem_name}-%{version}.gemspec
@ -89,6 +96,9 @@ popd
%{gem_instdir}/examples %{gem_instdir}/examples
%changelog %changelog
* Mon Nov 18 2024 yaoxin <yao_xin001@hoperun.com> - 1:2.0.8.1-4
- Fix CVE-2022-45442
* Sat May 11 2024 Zhengxin Guo <guozhengxin@kylinos.cn> - 1:2.0.8.1-3 * Sat May 11 2024 Zhengxin Guo <guozhengxin@kylinos.cn> - 1:2.0.8.1-3
- fix the correctly ignores syntactically invalid range requests test - fix the correctly ignores syntactically invalid range requests test